Techniques for dynamic enpoint secure location awareness

ABSTRACT

Techniques for dynamic endpoint secure location awareness may include determining that a mobile device changed locations. A platform security engine in the mobile device may dynamically send a location query. A location response may be received. The platform security engine may determine whether the mobile device is located in a secure location based on the location response. Other embodiments are described and claimed.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of, claims the benefit of andpriority to U.S. patent application Ser. No. 13/976,434 filed on Jun.26, 2013, which is a U.S. National Stage of International PatentApplication No. PCT/US2011/053701 filed on Sep. 28, 2011. The subjectmatter of both the U.S. and international patent applications are herebyincorporated by reference in their entirety.

BACKGROUND

Devices such as, smart phones, laptops, tablets and/or netbooks maycommunicate with other devices through enterprise servers and/or theInternet. As the devices are mobile, they are constantly moved from onelocation to another. At each location, a security policy may bedetermined for the mobile device or endpoint. A mobile device may set asecurity policy based on a determination of whether a particularlocation is secure.

Currently, mobile devices use endpoint security software to determinethe security level of the mobile device in a location. The mobile devicemay extract environmental factors or attributes such as an internetprotocol address and/or a domain name server, to determine anappropriate security policy. However, the security software that isrunning on the mobile device s may be spoofed to trick a mobile deviceinto determining that a location is secure when the mobile device isactually located in a non-secure location. This lying endpoint problemresults in the mobile device having a lower security policy then what itshould have in a non-secure location and leaves the mobile device opento various threats and attacks.

In addition to the endpoint spoofing problem, there is also a lack ofstandardization in location checking and information received by themobile devices. Each security software independent service vendorimplements their own methods and therefore, it is impossible to keep thesame level of security with various mobile devices. This results in aninconsistent security policy which leaves a mobile device open tothreats and/or attacks. It is with respect to these and otherconsiderations that the present improvements have been needed.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates an embodiment of a secure location awarenesscentralized system.

FIG. 2 illustrates a block diagram of a secure location awarenessdistributed system.

FIG. 3 illustrates a block diagram of an exemplary distributed systemwith communication between a platform security engine and a securitycomponent.

FIG. 4 illustrates a block diagram of an exemplary distributed systemwith a mobile device and an independent software vendor server.

FIG. 5 illustrates a block diagram of an exemplary distributed systemwith a mobile device and cloud computing.

FIG. 6 illustrates an embodiment of a logic flow of determining a securelocation.

FIG. 7 illustrates an embodiment of a logic flow of setting a securitypolicy.

FIG. 8 illustrates an embodiment of a logic flow of a location response.

FIG. 9 illustrates an embodiment of a computing architecture.

FIG. 10 illustrates an embodiment of a communications architecture.

DETAILED DESCRIPTION

Various embodiments are directed to techniques for dynamic endpointsecure location awareness. Some embodiments are particularly directed totechniques for determining that a mobile device changed locations. Aplatform security engine in the mobile device may dynamically send alocation query. A location response may be received and based on thelocation response the platform security engine may determine whether themobile device is located in a secure location.

In an embodiment, for example, a system may include a mobile device. Themobile device may include a processing circuit and a platform securityengine. In an embodiment, the platform security engine may be utilizedto determine that a mobile device changed locations, dynamically send alocation query, receive a location response and determine whether themobile device is located in a secure location based on the locationresponse.

Using the platform security engine in a mobile device ensures that themobile device has a secure location awareness capability. The platformsecurity engine may provide a secure location awareness check. Theplatform security engine may be notified that the mobile device changedlocations. The platform security engine may determine whether the mobiledevice is in a secure location through a common, trusted and securesystem. The platform security engine may send a location query which isreceived by an independent service vendor server and/or a server incloud computing. The independent service vendor server and/or the serverin cloud computing may respond to the platform security engine's query.The independent service vendor server and/or the server in cloudcomputing may communicate with the hardware on the platform securityengine through software which was previously downloaded on theindependent service vendor server and/or the server in cloud computing.The independent service vendor server and/or the server in cloudcomputing may provide a secure location response to the platformsecurity engine indicating the location of the mobile device. Theindependent service vendor server may respond to the platform securityengine stating that the mobile device is on a private network. Theserver in cloud computing may respond to the platform security engineindicating that mobile device is on a public network. Based on theresponse, the platform security engine can determine whether the mobiledevice is in a secure location. The mobile device may determine that aprivate network is a secure location and that a public network is anon-secure location.

Based on the determination, the security component in the mobile devicemay query the platform security engine via an application programinterface to determine the location status in order to set the securitypolicy. The platform security engine may respond to the query indicatingthat the location is secure or that the location is not secure. Based onthe response from the query, the security component may determine asecurity policy for the mobile device. The security policy may be a setof rules to protect, detect and/or remove possible attacks and/orthreats to the mobile device. In an embodiment, a strict security policywith many rules may be set when the mobile device is in a non-securelocation, such as a public network. The mobile device may set a morelenient security policy when the mobile device is in a secure location,such as a private network.

In an embodiment, the mobile device may dynamically send a query so thatthe mobile device can quickly determine when it is in a new location andthe level of security in that location. For example, the platformsecurity engine may dynamically determine that the mobile device haschanged locations from a private network to a public network based on anevent trigger from a communication component within the mobile device.As a result of the event trigger, the platform security engine mayauthenticate with an independent vendor server or a server in cloudcomputing. As the platform security engine in the mobile device mayauthenticate prior to sending a location query to an independent servicevendor server or a server in cloud computing, the communication betweenthe platform security engine and the mobile device may be secure. As theplatform security engine determines whether the location is secure, themobile device does not need to rely on environmental factors and/orattributes to determine whether the location is secure, and as a result,the endpoint location cannot be spoofed.

Reference is now made to the drawings, wherein like reference numeralsare used to refer to like elements throughout. In the followingdescription, for purposes of explanation, numerous specific details areset forth in order to provide a thorough understanding thereof. It maybe evident, however, that the novel embodiments can be practiced withoutthese specific details. In other instances, well known structures anddevices are shown in block diagram form in order to facilitate adescription thereof. The intention is to cover all modifications,equivalents, and alternatives falling within the spirit and scope of theclaimed subject matter.

FIG. 1 illustrates a block diagram of a secure location awareness system100. In one embodiment, the system 100 may comprise a communicationssystem 100. Although the system 100 shown in FIG. 1 has a limited numberof elements in a certain topology, it may be appreciated that the system100 may include more or less elements in alternate topologies as desiredfor a given implementation.

In various embodiments, the communications system 100 may comprise awireless communications system or a combination of both a wiredcommunication system and a wireless communication system. For example,the communications system 100 may include one or more devices arrangedto communicate information over one or more types of wired communicationlinks. Examples of a wired communication link, may include, withoutlimitation, a wire, cable, bus, printed circuit board (PCB), Ethernetconnection, peer-to-peer (P2P) connection, backplane, switch fabric,semiconductor material, twisted-pair wire, co-axial cable, fiber opticconnection, and so forth. The communications system 100 also may includeone or more devices arranged to communicate information over one or moretypes of wireless communication links, such as wireless shared media150. The communication system 100 may have one or more devices 110, 120,130. A device 110, 120, 130 generally may comprise any physical orlogical entity for communicating information in a communications system100. A device 110, 120, 130 may be implemented as hardware, software, orany combination thereof, as desired for a given set of design parametersor performance constraints. Although FIG. 1 may show a limited number ofdevices by way of example, it can be appreciated that more or lessdevices may be employed for a given implementation.

In an embodiment, a device 110, 120, 130 may be a computer-implementedsystem having one or more software applications and/or components. Forexample, a device 110, 120, 130 may comprise, or be implemented as, acomputer system, a computing device, a computer sub-system, a computer,an appliance, a workstation, a terminal, a server, a personal computer(PC), a laptop, an ultra-laptop, a handheld computer, a personal digitalassistant (PDA), a smart phone, a tablet computer, a gaming device, aset top box (STB), a television, a digital television, a telephone, amobile telephone, a cellular telephone, a handset, a wireless accesspoint, a base station (BS), a subscriber station (SS), a mobilesubscriber center (MSC), a radio network controller (RNC), amicroprocessor, an integrated circuit such as an application specificintegrated circuit (ASIC), a programmable logic device (PLD), aprocessing circuit such as general purpose processor, a graphicsprocessor, an application processor, a digital signal processor (DSP)and/or a network processor, an interface, an input/output (I/O) device(e.g., keyboard, mouse, a display, a liquid crystal display (LCD), atouch screen display, printer, speakers), a router, a hub, a gateway, abridge, a switch, a circuit, a logic gate, a register, a semiconductordevice, a chip, a transistor, or any other device, machine, tool,equipment, component, or combination thereof. The embodiments are notlimited in this context.

In an embodiment, a device 110, 120, 130 may comprise, or be implementedas, software, a software module, an application, a program, asubroutine, an instruction set, computing code, words, values, symbolsor combination thereof. A device 110, 120, 130 may be implementedaccording to a predefined computer language, manner or syntax, forinstructing a processor to perform a certain function. Examples of acomputer language may include C, C++, Java, BASIC, Perl, Matlab, Pascal,Visual BASIC, assembly language, machine code, micro-code for a networkprocessor, and so forth. The embodiments are not limited in thiscontext.

A device 110, 120, 130 may be a computing device 120. A computing device120 may execute processing operations or logic for the system 100 usinga processing component 140. In an embodiment, the processing componentmay be a processor executed by the personal area network and/or the widearea network. The processing component 140 may comprise various hardwareelements, software elements, or a combination of both. Examples ofhardware elements may include devices, components, processors,microprocessors, circuits, circuit elements (e.g., transistors,resistors, capacitors, inductors, and so forth), integrated circuits,application specific integrated circuits (ASIC), programmable logicdevices (PLD), digital signal processors (DSP), field programmable gatearray (FPGA), memory units, logic gates, registers, semiconductordevice, chips, microchips, chip sets, and so forth. Examples of softwareelements may include software components, programs, applications,computer programs, application programs, system programs, machineprograms, operating system software, middleware, firmware, softwaremodules, routines, subroutines, functions, methods, procedures, softwareinterfaces, application program interfaces (API), instruction sets,computing code, computer code, code segments, computer code segments,words, values, symbols, or any combination thereof. Determining whetheran embodiment is implemented using hardware elements and/or softwareelements may vary in accordance with any number of factors, such asdesired computational rate, power levels, heat tolerances, processingcycle budget, input data rates, output data rates, memory resources,data bus speeds and other design or performance constraints, as desiredfor a given implementation.

The device 120 may communicate with other devices, such as, but notlimited to, device 110, 130, over a communications media 125 usingcommunications signals via the communications component 145. By way ofexample, and not limitation, communications media 125 includes wiredcommunications media and wireless communications media. Examples ofwired communications media 125 may include a wire, cable, metal leads,printed circuit boards (PCB), backplanes, switch fabrics, semiconductormaterial, twisted-pair wire, co-axial cable, fiber optics, a propagatedsignal, and so forth. Examples of wireless communications media 115 mayinclude acoustic, radio-frequency (RF) spectrum, infrared and otherwireless media.

The computing device 120 may execute communications operations or logicusing a communications component 145. The communications component 145may implement any well-known communications techniques and protocols,such as techniques suitable for use with packet-switched networks (e.g.,public networks such as the Internet, private networks such as anenterprise intranet, and so forth), circuit-switched networks (e.g., thepublic switched telephone network), or a combination of packet-switchednetworks and circuit-switched networks (with suitable gateways andtranslators). The communications component 145 may include various typesof standard communication elements, such as one or more communicationsinterfaces, network interfaces, network interface cards (NIC), radios,wireless transmitters/receivers (transceivers), wired and/or wirelesscommunication media, physical connectors, and so forth. In anembodiment, the communications component 145 may be operative on theprocessing circuit to communicate with a server. In an embodiment, thecommunication component may include a radio-frequency transceiver tocommunicate electromagnetic signals representing information.

The communications components 145 may comprise, or be implemented as,software, a software module, an application, a program, a subroutine,instructions, an instruction set, computing code, words, values, symbolsor combination thereof. The instructions may include any suitable typeof code, such as source code, compiled code, interpreted code,executable code, static code, dynamic code, and the like. Theinstructions may be implemented according to a predefined computerlanguage, manner or syntax, for instructing a processor to perform acertain function. The instructions may be implemented using any suitablehigh-level, low-level, object-oriented, visual, compiled and/orinterpreted programming language, such as C, C++, Java, BASIC, Perl,Matlab, Pascal, Visual BASIC, assembly language, machine code, and soforth. The embodiments are not limited in this context. Whencommunications component 140 is implemented as software, the softwaremay be executed by any suitable processor and memory unit.

The computing device 120 may include a platform security engine 150 anda security component 170. The platform security engine 150 may providesecure location awareness. In an embodiment, the platform securityengine 150 may dynamically send a location query. The platform securityengine 150 may receive location responses. In an embodiment, a locationresponse may indicate that computing device 120 is on a private network,such as, but is not limited to, a corporate or an enterprise network. Inan embodiment, a location response may indicate that a computing device120 is on a public network, such as, but is not limited to, theInternet. Based on the location response, the platform security engine170 may determine whether the computing device 120 is in a securelocation.

In an embodiment, the security component 170 may set a security policybased on the location of the computing device 120. In an embodiment, thesecurity component 170 may adjust the security policy of the computingdevice 120. In an embodiment, the security component may includesecurity software and the security policy may be adjusted by changingthe configuration of the security software. The security policy may be aset of rules to protect, detect and/or remove possible attacks and/orthreats to the computing device 120. In an embodiment, the securitypolicy may include a few rules and be a lenient security policy when thecomputing device 120 is in a secure location, such as a private network,since a secure location provides protections from attacks and/orthreats. In an embodiment, the security policy may include a strictsecurity policy with many rules when the computing device 120 is in anon-secure location, such as a public network, in order to protect thecomputing device 120 from attacks and/or threats.

FIG. 2 illustrates a block diagram of a secure location awarenessdistributed system 200. The distributed system 200 may distributeportions of the structure and/or operations for the systems 100 acrossmultiple computing entities. Examples of distributed system 200 mayinclude without limitation a client-server architecture, a 3-tierarchitecture, an N-tier architecture, a tightly-coupled or clusteredarchitecture, a peer-to-peer architecture, a master-slave architecture,a shared database architecture, and other types of distributed systems.The embodiments are not limited in this context.

The client system 210 and the server system 215 may process informationusing the processing components 240, which are similar to the processingcomponent 140 described with reference to FIG. 1. The client system 210and the server system 215 may communicate with each over acommunications media 220 via communications components 245, which aresimilar to the communications component 145 described with reference toFIG. 1.

In one embodiment, for example, the distributed system 200 may beimplemented as a client-server system. A client system 210 may include aplatform security engine 250 and a security component 270. In anembodiment, the client system 210 may include a platform security engine250 which is similar to the platform security engine 150 described withreference to FIG. 1. The client system 210 may include a securitycomponent 270 which is similar to the security component 170 describedwith reference to FIG. 1.

In an embodiment, a platform security engine 250 may include bothhardware elements and software elements. The platform security engine250 may include architecture hardware security engines. For example, theplatform security engine may include the management engine available ona netbook. The platform security engine 250 may communicate with aserver system 215. Through this communication, the platform securityengine 250 may provide secure location awareness to the client system210.

In an embodiment, the security component 270 may include softwareelements which set the security policy for the computing device 120. Inan embodiment, the security component 170 may include security softwarethat provides protection to the client system 210. In an embodiment, thesecurity component 270 may include endpoint security software. In anembodiment, the security component 270 may include, but is not limitedto, a personal firewall, host data loss prevention (DLP) software, hostintrusion prevention software (IPS), and/or antivirus software toimplement one or more rules based on the location of the mobile device.For examples, the security component 270 may include, but is not limitedto, a McAfee® personal firewall or a Checkpoint® host DLP. In anembodiment, the security component 270 may set a security policy basedon the location of the mobile device determined by the platform securityengine. The security policy may be a set of rules to protect, detectand/or remove possible attacks and/or threats to the mobile device. Inan embodiment, the security policy may be a set of personal firewallrules that allow, block ingress or egress traffic to the mobile device.In an embodiment, the security policy may include a few rules and be alenient security policy when the mobile device is in a secure location.A secure location may be a trusted network. A secure location may havemeasures to protect the mobile device from attacks and/or threats.Accordingly, the mobile device does not need to implement a strictsecurity policy in a secure location. The mobile device may have asimpler and/or lighter protection scheme when located in a securelocation.

In an embodiment, the security policy may include a strict securitypolicy with many rules when the mobile device is in a non-securelocation. A non-secure location may be an un-trusted network. Anon-secure location may have few or no protection against attacks fromother devices. For example, if the mobile device is on a privatenetwork, then the security policy may include fewer rules than if themobile device is on a public network. The mobile device may have asecurity policy with a stringent protection scheme when located in anon-secure location.

In various embodiments, the client system 210 may comprise or employ oneor more client computing devices and/or client programs that operate toperform various methodologies in accordance with the describedembodiments.

In various embodiments, the client system 210 may comprise one or moreof the devices discussed with regards to the devices 110, 120 and 130 inFIG. 1. In particular, the client system may be implemented as a mobiledevice such as, but not limited to, a laptop, a handheld computer, apersonal digital assistant (PDA), a smart phone, a tablet computer, anotebook, an ultrabook and a netbook. The mobile device may be a mobileendpoint that can roam between various locations and networks.

In an embodiment, a server system 215 may implement a secure locationresponse component 280. In an embodiment, the secure location responsecomponent 280 may include software that will allow communication betweenthe client system 210 and the platform security engine 250. In anembodiment, the software may be installed, downloaded and/or run on theserver system 215.

In various embodiments, the server system 215 may comprise or employ oneor more server computing devices and/or server programs that operate toperform various methodologies in accordance with the describedembodiments. For example, when installed and/or deployed, a serverprogram may support one or more server roles of the server computingdevice for providing certain services and features. Exemplary serversystems 215 may include, for example, stand-alone and enterprise-classserver computers operating a server OS such as a MICROSOFT® OS, a UNIX®OS, a LINUX® OS, or other suitable server-based OS. Exemplary serverprograms may include, for example, communications server programs suchas Microsoft® Office Communications Server (OCS) for managing incomingand outgoing messages, messaging server programs such as Microsoft®Exchange Server for providing unified messaging (UM) for e-mail,voicemail, VoIP, instant messaging (IM), group IM, enhanced presence,and audio-video conferencing, and/or other types of programs,applications, or services in accordance with the described embodiments.

In an embodiment, the platform security engine 250 may determine alocation of the client system 210 by dynamically sending a query. In anembodiment, prior to a platform security engine 250 sending a locationquery, the platform security engine 250 of the client system 210 and theserver system 215 may establish secure communication. In an embodiment,the platform security engine 250 of the client system 210 mayauthenticate with the server system 215. For example, the platformsecurity engine 250 may authenticate using public/private asymmetric RSAkeys. Public/private asymmetric RSA keys may be generated by the privatekey infrastructure of the server system 215. In an embodiment, usage ofkeys for authentication can provide secure communication between theplatform security engine 250 in the client system 210 and the serversystem 210.

In an embodiment, after authentication, the platform security engine 250may send a query to the server system 215. The server system 215 mayrespond to the query. In an embodiment, the secure location responsecomponent 280 in the server system may include software elements thatare run on the server system 215 in order to communicate with theplatform security engine 250. In an embodiment, software may bedownloaded by the server system 215 prior to communication with theplatform security engine 250. The secure location response component 280in the server system 215 may receive and respond to the query.

The secure location response component 280 in the server system 215 maysend a response with information about the location of the client system210. For example, the sever system 215 may send a response stating thatthe client system 210 is on a private network, such as, but is notlimited to, a corporate or enterprise network. For example, the serversystem 215 may send a response stating that the mobile device is on apublic network, such as, but is not limited to, the Internet.

Based on the response, the platform security engine 250 of the clientsystem 210 can determine whether the client system 210 is located in asecure location. As the platform security engine 250 of the clientsystem 210 may securely communicate with the server system 215, theclient system 210 cannot be tricked, by environment factors orattributes, such as a fake internet protocol address, into determiningthat the client system 210 is located in a secure location when in factthe client system 210 is located in a non-secure location.

After the platform security engine 250 determines whether the locationis secure, the security component 270 may query the platform securityengine 250 to obtain the location status of the client device 210.

FIG. 3 illustrates a block diagram of an exemplary distributed systemwith a communication between a platform security engine 270 and asecurity component 270. In an embodiment, the security component 270 maysend a policy query 255 to the platform security engine 250 via anapplication program interface. Using the application programminginterface, the security component 270 may send a policy query 255 to theplatform security engine 250 and dynamically obtain whether a clientdevice 210 is in a secure location or a non-secure location. In otherwords, the security component 270 may dynamically identify whether thenetwork is trusted or not based on the response to the query.

The platform security engine 250 may send a policy response 265 to thesecurity component 270. In an embodiment, the policy response 265 mayinclude information indicating whether the client system 210 is locatedin a secure location. In an embodiment, the platform security engine 250may send a policy response 265 indicating whether the client system 210is located in a secure location based on the query and response sentbetween the platform security engine 250 and the server system 215.

Unlike non-secure location awareness systems, the security component 270may not do the decision making and network trust evaluation. Instead,the platform security engine 250 may determine whether the location issecure and may communicate the location status, such as whether thelocation is secure, to the security component 270.

FIG. 4 illustrates a block diagram of an exemplary distributed systemwith a mobile device 310 and an independent software vendor server 315.In an embodiment, the sever system may be an independent service vendorserver 315. In an embodiment, the mobile device 310 may include aplatform security engine 350 which is similar to the platform securityengine 150, 250 described with reference to FIGS. 1 and 2. The mobiledevice 310 may include a security component 370 which is similar to thesecurity component 170, 270 described with reference to FIGS. 1 and 2.In an embodiment, the independent service vendor server 315 may includea secure location response component 380 which is similar to the securelocation response component 280 described with reference to FIG. 2.

In an embodiment, the independent service vendor server 315 may be anenterprise level server. In an embodiment, the independent servicevendor server 315 may be a McAfee® server, an Intel® server or otherserver. In an embodiment, the vendor of the enterprise level server mayinclude a secure location response component 380 in order to communicatewith the platform security engine 350 of the mobile device 310. In anembodiment, the secure location response component 380 may be softwarethat was previously downloaded onto the independent service vendorserver 315. In an embodiment, the secure location response component 380may be software that runs on the independent service vendor server 315.

In an embodiment, the platform security engine 350 may initiatecommunication with the independent service vendor server 315. In anembodiment, a platform security engine 350 may communicate with anindependent service vendor sever 315 using secure communication. In anembodiment, a secure location response component 380 in the independentservice vendor server 315 may communicate using a secure connection withthe platform security engine 350 in the mobile device 310. In anembodiment, the communication between the mobile device 310 and theindependent service vendor server 315 may use encryption. In anembodiment, the communication between the mobile device 310 and theindependent service vendor server 315 may use a certificate and/or a RSAkey pair. For example, a platform security engine 350 may have access toa private key or other method of encryption in order for the platformsecurity engine 350 to communicate with the independent service vendorserver 315. In an embodiment, the platform security engine 350 may use agenerated RSA key pair for authentication with the independent servicevendor server 310. In an embodiment, the platform security engine 350may try to establish a secure socket layer (SSL) connection to apredefined fully qualified domain name (FQDN) that is resolvable insidea corporate network to the independent service vendor server IP.

In an embodiment, the platform security engine 350 may authenticateusing a predefined address. In an embodiment, secure communication maybe established using a uniform resource locator and/or a fully qualifieddomain name. For example, a fully qualified domain name may include, butis not limited to, https://www.sla.com.

In an embodiment, the platform security engine 350 may dynamically senda location query 325 which is received by the independent service vendorserver 315. In an embodiment, a platform security engine 350 may send alocation query 325 based on an event trigger. In an embodiment, platformsecurity engine 350 may send a location query 325 when thecommunications component 345 identifies a change in location. Forexample, a Network Interface Card (NIC) may identify a new location ornetwork and notify the platform security engine 350 using an eventtrigger. Based on the event trigger, the platform security engine 350may send a location query 325. For example, the communications component345 may identify a change in location based on the endpoint routingtable. Based on the event trigger, the platform security engine 350 mayperform a secure location check by dynamically sending a location query325. The embodiments are not limited in this context.

In an embodiment, the secure location response component 380 in theindependent service vendor server 315 may send a response 335 to theplatform security engine 350. In an embodiment, the location response335 from the independent service vendor server 315 may provideinformation about the current location of the mobile device 310. Forexample, the independent service vendor server 315 may provideinformation in the location response 335 indicating that the mobiledevice 310 is located on a private network, such as, but is not limitedto a corporate or an enterprise network. In an embodiment, the privatenetwork may be an office. A private network may be determined by theplatform security engine 350 to be a secure location and/or environmentas a private network may have secure firewalls, encryption and/or othertypes of security to prevent the mobile device from external attacks andthreats. In an embodiment, based on the location response 335 indicatingthat the mobile device 310 is in a private network, the mobile device310 may determine that it is located in a secure location.

Based on the location, a security policy may be set for the mobiledevice 310. The security policy may be a set of rules to protect, detectand/or remove possible attacks and/or threats to the mobile device 310.The security component 370 may determine a security policy for themobile device 310 based on whether the mobile device 310 is in a securelocation, such as a private network, or a non-secure location, such as apublic network or a non-secure location, such as the Internet.

In an embodiment, the security component 370 may include softwareelements which set and/or change a configuration of the security policyfor the mobile device 310. In an embodiment, the security component 370may include security software that provides protection to the mobiledevice 310. In an embodiment, the security component 370 may set asecurity policy based on the location of the mobile device 310determined by the platform security engine 350.

In an embodiment, the security component 370 may query the platformsecurity engine 350 via an application program interface. Using theapplication programming interface, the security component 370 may querythe platform security engine 350 and dynamically identify whether mobiledevice 310 is in a secure location or a non-secure location. Thesecurity component 370 may use the response query from the platformsecurity engine 350 to learn whether the location is secure ornon-secure. The security component 370 may implement a security policybased on the determination of a platform security engine 350. In anembodiment, the security component 370 may set a lenient security policywith a few rules when the mobile device 320 is in a secure location.

In an embodiment, based on the location, communication settings and/orhardware setting may be adjusted on the mobile device 310. In anembodiment, types of communications may be limited when the mobiledevice 310 is in a non-secure location. In an embodiment, communicationrates may be reduced when the mobile device 310 is in a non-securelocation. In an embodiment, the hardware setting may be reduced when themobile device 310 is in a non-secure location. For example, in anembodiment, power consumption may be reduced when the mobile device 310is in a non-secure location.

FIG. 5 illustrates a block diagram of an exemplary distributed systemwith a mobile device 410 and cloud computing 415. In an embodiment, themobile device 410 may include a platform security engine 450 which issimilar to the platform security engine 150, 250, 350 described withreference to FIGS. 1-4. The mobile device 410 may include a securitycomponent 470 which is similar to the security component 170, 270, 370described with reference to FIGS. 1-4. In an embodiment, the cloudcomputing 415 may include a secure location response component 480 whichis similar to the secure location response component 280, 380 describedwith reference to FIG. 2 and FIG. 4.

In an embodiment, the platform security engine 450 in the mobile device410 may communicate with a server in cloud computing 415. In anembodiment, a cloud computing provider may deliver applications via apublic network, such as, but is not limited to, the Internet. In cloudcomputing 415, data may be stored in a server in a data center at aremote location. In an embodiment, the cloud may include a MacAfee cloudwith a MacAfee data center with MacAfee servers and/or an Intel cloudwith an Intel data center with Intel servers. The example is not limitedto these computing clouds, data centers and servers.

In an embodiment, a server in the data center may include the securelocation response component 480. In an embodiment, the secure locationresponse component 480 may be software that was previously downloadedonto a server in cloud computing 415. In an embodiment, the securelocation response component 480 may be software that runs on the serverin cloud computing 415.

In an embodiment, a platform security engine 450 may communicate with aserver in cloud computing 415 using secure communication. In anembodiment, a secure location response component 480 in a server incloud computing 415 may securely communicate with the platform securityengine 450 in the mobile device 410. As discussed with the communicationbetween an independent service vendor server 350 and a platform securityengine 350, the server in cloud computing 415 may communicate using asecure connection with the platform security engine 450. In anembodiment, the communication between a mobile device 410 and a serverin cloud computing 415 may use encryption, a certificate and/or a RSAkey pair. For example, a platform security engine 450 may use agenerated RSA key pair for authentication with a server in cloudcomputing 415.

In an embodiment, the platform security engine 450 may securelycommunicate with a server in cloud computing 415 using a predefinedaddress, a uniform resource locator and/or a fully qualified domainname. For example, a fully qualified domain name may include, but is notlimited to, https://www.sla.com. In an embodiment, the fully qualifieddomain name may be resolved outside a server in cloud computing 415environment.

In an embodiment, the platform security engine 450 may dynamically senda location query 425. For example, the platform security engine 450 maydynamically send a location query 425 which is received by server incloud computing 415. In an embodiment, a platform security engine 450may send a location query 425 based on an event trigger. In anembodiment, platform security engine 450 may send a location query 425when the communications component 445 identifies that the mobile devicechanged locations. For example, a Network Interface Card (NIC) mayidentify that a change in network took place and notify the platformsecurity engine 450 using an event trigger. For example, thecommunications component 445 may identify a change in location based onthe endpoint routing table. Based on the event trigger, the platformsecurity engine 450 may perform a secure location check and dynamicallysend 425 a location query which is received by server in cloud computing415. In an embodiment, by a triggering event causing the mobile device410 to query a secure location response component 480 in a server incloud computing 415, the platform security engine 450 may dynamicallydetermine when the mobile device 410 has changed locations.

In an embodiment, the secure location response component 480 in a serverin cloud computing 415 may send a response 435 to the platform securityengine. In an embodiment, a server in cloud computing 415 may be aserver located in a data center which provides a public network withlittle or no security. Unlike an independent service vendor server whichprovides a secure private network at an office, the server in cloudcomputing 415 may provide non-secure public network at a coffee shop, auser of the mobile device's home, an airport, and other possiblenon-secure locations.

In an embodiment, the location response 435 from the server in cloudcomputing 415 may provide information indicating that the mobile device410 is located on a public network, such as, but is not limited to, theInternet. For example, the mobile device 410 may receive a locationresponse 435 from the server in cloud computing 415. In an embodiment,the location response 435 from the server in cloud computing 415 mayinclude information that the mobile device 410 is located on a publicnetwork. A public network may be determined by the platform securityengine 450 to be a non-secure location and/or environment as the publicnetwork may not have any security to prevent the mobile device 410 fromexternal attacks and threats.

In an embodiment, based on the location response 435 indicating that themobile device 410 is on a public network, the mobile device 410 maydetermine that it is located in a non-secure location. A public networkmay be determined to not be a secure location as a public network mayhave few or no protection against attacks from other devices, such as,but not limited of a denial of service attack. A mobile device 410 on apublic network may have a high risk of intrusion and or fraud frommalware, such as, but not limited to viruses, Trojan horses and/orspyware.

Based on the location, a security policy may be set for the mobiledevice. The security policy may be a set of rules to protect, detectand/or remove possible attacks and/or threats to the mobile device 410.The security component 470 may set a security policy for the mobiledevice 410 based on whether the mobile device 410 is in a securelocation, such as a private network, or a non-secure location, such as apublic network or a non-secure location, such as the Internet.

In an embodiment, the security component 470 may include softwareelements which set the security policy for the mobile device 410. In anembodiment, the security component 470 may include security softwarethat provides protection to the mobile device 410. In an embodiment, thesecurity component may include endpoint security software. In anembodiment, the security component 470 may set a security policy basedon the location of the mobile device 410 determined by the platformsecurity engine 450.

In an embodiment, the security component 470 may query the platformsecurity engine 450 via an application program interface. Using theapplication programming interface, the security component 470 may querythe platform security engine 450 and dynamically identify whether mobiledevice 410 is in a secure location or a non-secure location. Thesecurity component 470 may use the response query from the platformsecurity engine 450 to learn whether the location is secure ornon-secure and the security component 470 may implement a securitypolicy based on the determination of a platform security engine 450. Inan embodiment, the security component 470 may set and/or adjust thesecurity policy. The security component 470 may set a strict securitypolicy with many rules when the mobile device 420 is in a non-securelocation.

In an embodiment, based on the location, communication settings and/orhardware setting may be adjusted on the mobile device 410. In anembodiment, types of communications may be limited when the mobiledevice 410 is in a non-secure location. In an embodiment, communicationrates may be reduced when the mobile device 410 is in a non-securelocation. In an embodiment, the hardware setting may be reduced when themobile device 410 is in a non-secure location. For example, in anembodiment, power consumption may be reduced when the mobile device 410is in a non-secure location.

Included herein is a set of flow charts representative of exemplarymethodologies for performing novel aspects of the disclosedarchitecture. While, for purposes of simplicity of explanation, the oneor more methodologies shown herein, for example, in the form of a flowchart or flow diagram, are shown and described as a series of acts, itis to be understood and appreciated that the methodologies are notlimited by the order of acts, as some acts may, in accordance therewith,occur in a different order and/or concurrently with other acts from thatshown and described herein. For example, those skilled in the art willunderstand and appreciate that a methodology could alternatively berepresented as a series of interrelated states or events, such as in astate diagram. Moreover, not all acts illustrated in a methodology maybe required for a novel implementation.

FIG. 6 illustrates an embodiment of a logic flow 500 of determining asecure location. The logic flow 500 may be representative of some or allof the operations executed by one or more embodiments described herein.

In the illustrated embodiment shown in FIG. 6, the logic flow 500determines that a mobile device changed locations at block 502. In anembodiment, the platform security engine may receive an event triggerwhich notifies the platform security engine that the mobile device 210changed locations. In an embodiment, a communications component 245,such as, but not limited to a network interface card, may determine thatthe mobile device 210 has changed locations. In an embodiment, thecommunications component 245 may send an event trigger to a platformsecurity engine 250 to notify the platform security engine 250 of thechange in location of the mobile device 210.

In an embodiment, the logic flow 500 establishes secure communication atblock 504. In an embodiment, establishes secure communication from aplatform security engine of a mobile device. In an embodiment, thesecure communication may include encryption, a certificate and/or a RSAkey pair. In an embodiment, secure communication may be establishedusing a secure socket layer (SSL) connection. In an embodiment, thesecure communication may use a unique uniform resource locator or apredefined fully qualified domain name.

In an embodiment, the logic flow 500 dynamically sends a location queryfrom a platform security engine of a mobile device at block 506. Forexample, a platform security engine 350, 450 may send a location queryto determine a location of the mobile device. The location query may bereceived by an independent service vendor server 315 or a server in acloud computing 415. In an embodiment, the location query may bereceived by an independent service vendor server 315. In an embodiment,the location query may be received by an enterprise server 315. In anembodiment, the location query may be received by a server at a datacenter associated with cloud computing 415. In an embodiment, the datacenter may be an Intel® data center and/or a MacAfee® data center.

The logic flow 500 may receive a location response at block 508. Forexample, the location response may provide information that the mobiledevice 310 is in a private network. In an embodiment, a private networkmay include, but is not limited to, a corporate network or an enterprisenetwork. For example, the location response may provide information thatthe mobile device 410 is in a public network, such as, but is notlimited to, the Internet. The embodiments are not limited to thisexample.

The logic flow 500 may determine whether the mobile device is located ina secure location based on the location response at block 510. Forexample, if the platform security engine 350 in the mobile device 310receives information that the mobile device 310 is located on a privatenetwork, then the platform security engine 350 may determine that it islocated in a secure location. In an embodiment, the platform securityengine 350 may determine that it is in a secure location when itreceives a location response stating that it is on a private network. Inan embodiment, the platform security engine 450 may determine that it isin a non-secure location when it receives a location response statingthat it is on a public network.

For example, if the platform security engine 350 receives informationthat the mobile device 310 is located on a private network, then theplatform security engine 350 may determine that the mobile device 310 islocated in a secure location. A private network may be determined to bea secure location as a private network may have secure firewalls,encryption and/or other types of security to prevent the mobile devicefrom external attacks and threats.

For example, if the platform security engine 450 receives informationthat the mobile device 410 is located on a public network, then theplatform security engine 450 may determine that the mobile device islocated in a non-secure location. A public network may be determined tonot be a secure location as a public network may have few or noprotection against attacks from other devices.

Based on the location, a security policy may be set by a securitycomponent 270 for the mobile device. The security policy may be a set ofrules to protect, detect and/or remove possible attacks and/or threatsto the mobile device 310, 410. The security component 270 may determinea security policy for the mobile device 310, 410 based on whether themobile device 310, 410 is in a secure location, such as a privatenetwork, or a non-secure location, such as a public network. In anembodiment, the security component 270 may set a security policy with alenient security policy with a few rules when the mobile device 310, 410is in a secure location, or the security component 270 may include astrict security policy with many rules when the mobile device 310, 410is in a non-secure location.

FIG. 7 illustrates an embodiment of a logic flow 600 of setting asecurity policy. The logic flow 600 may be representative of some or allof the operations executed by one or more embodiments described herein.

In the illustrated embodiment shown in FIG. 6, the logic flow 600 maysend a policy query via an application programming interface at block602. For example, the security component 270 in the mobile device 310,410 may send a policy query to the platform security engine 250. In anembodiment, the security component 270 may include, but is not limitedto, a personal firewall, host data loss prevention (DLP) software, hostintrusion prevention software (IPS), and/or antivirus software.

As discussed above in FIG. 6, in block 506, the platform security engine250 may determine whether the mobile device 310, 410 is located in asecure location. The platform security engine 250 may receive a policyquery via an application programming interface. In an embodiment, theapplication programming interface may allow the security component 270to communicate with the platform security engine 250. In an embodiment,the application programming interface may determine when the securitycomponent 250 should send a policy query to the platform security engine250. In an embodiment, the application programming interface may send apolicy query to the platform security engine 250 when the mobile device310, 410 changed locations. In an embodiment, the security component 270on the mobile device 310, 410 may send a policy query to the platformsecurity engine 250 to determine whether the mobile device 310, 410 islocated in a secure location.

In an embodiment, prior to the security component 270 communicating withthe platform security engine 250, the platform security engine 250 mayauthenticate with the security component 270. In an embodiment, theplatform security engine 250 may use a self-generated RSA key pair toauthenticate with the security component 270. In an embodiment, thesecurity component 270 may securely handshake the platform secure engine270 for authentication.

The logic flow 600 may receive a policy response with informationindicating whether the mobile device 310, 410 is located in a securelocation at block 604. For example, the platform security engine 250 maysend a policy response, via the application programming interface, tothe security component 270. In an embodiment, the security component 270may receive the policy response via an application programminginterface. In an embodiment, the policy response may include informationindicating that the mobile device 310 is located in a secure location.In an embodiment, the policy response may include information indicatingthat the mobile device 410 is located in a non-secure location. Theembodiments are not limited to this example.

The logic flow 600 may set a security policy based on the policyresponse at block 606. In an embodiment, the security component 270 mayset a security policy based on the policy response from the platformsecurity engine 250. In an embodiment, the policy response will includeinformation indicating whether the mobile device 310, 410 is located ina secure location. For example, the security component 270 may set asecurity policy based on the policy response.

The security policy may be a set of rules to protect, detect and/orremove possible attacks and/or threats to the mobile device. In anembodiment, the security policy may include a few rules and be a lenientsecurity policy when the mobile device 310 is in a secure location. Forexample, if the mobile device 310 is on the private network, then thesecurity policy may include fewer rules as the mobile device 310 is in atrusted network. In an embodiment, the security policy may have no ruleswhen the mobile device 310 is in a trusted network. As the securelocation may already have security measures to protect the mobile device310 from attacks and/or threats, the mobile device does not need astrict security policy. The embodiments are not limited to this example.

In an embodiment, the security policy may include a strict securitypolicy with many rules when the mobile device 410 is in a non-securelocation. For example, if the mobile device 410 is on a public network,such as, but is not limited to, the Internet, then the security policymay include more rules as the mobile device 410 is not in a trustednetwork. A public network is not a secure location and/or environment asa public network may have few or no protection against attacks fromother devices. Accordingly, a mobile device 410 on a public network mayhave a strict security policy to protect the mobile device 410. Theembodiments are not limited to this example.

FIG. 8 illustrates an embodiment of a logic flow 700 of a locationresponse. In an embodiment, the logic flow 700 establishes securecommunication at block 702. In an embodiment, secure communication maybe established between an independent service vendor server 315 and aplatform security engine 350 of a mobile device 310. In an embodiment,secure communication may be established between a server in cloudcomputing 415 and a platform security engine 450 of a mobile device 410.In an embodiment, the secure communication may include encryption, acertificate and/or a RSA key pair. In an embodiment, securecommunication may be established using a secure socket layer (SSL)connection. In an embodiment, the secure communication may use a uniqueuniform resource locator or a predefined fully qualified domain name.

The logic flow 700 may receive a location query at block 704. In anembodiment, the independent service vendor server 315, such as, but notlimited to, an enterprise server, may receive a location query. In anembodiment, a server in cloud computing 415 may receive a locationquery. In an embodiment, the location query may ask where the mobiledevice 310, 410 is located.

The logic flow 700 may send a location response at block 706. In anembodiment, a location response may be sent to the platform securityengine 250. The location response may include information indicatingwhether the mobile device 310, 410 is in a secure location or anon-secure location.

FIG. 9 illustrates an embodiment of an exemplary computing architecture800 suitable for implementing various embodiments as previouslydescribed. As used in this application, the terms “system” and“component” are intended to refer to a computer-related entity, eitherhardware, a combination of hardware and software, software, or softwarein execution, examples of which are provided by the exemplary computingarchitecture 800. For example, a component can be, but is not limited tobeing, a process running on a processor, a processor, a hard disk drive,multiple storage drives (of optical and/or magnetic storage medium), anobject, an executable, a thread of execution, a program, and/or acomputer. By way of illustration, both an application running on aserver and the server can be a component. One or more components canreside within a process and/or thread of execution, and a component canbe localized on one computer and/or distributed between two or morecomputers. Further, components may be communicatively coupled to eachother by various types of communications media to coordinate operations.The coordination may involve the uni-directional or bi-directionalexchange of information. For instance, the components may communicateinformation in the form of signals communicated over the communicationsmedia. The information can be implemented as signals allocated tovarious signal lines. In such allocations, each message is a signal.Further embodiments, however, may alternatively employ data messages.Such data messages may be sent across various connections. Exemplaryconnections include parallel interfaces, serial interfaces, and businterfaces.

In one embodiment, the computing architecture 800 may comprise or beimplemented as part of an electronic device. Examples of an electronicdevice may include without limitation a mobile device, a mobileendpoint, a personal digital assistant, a mobile computing device, asmart phone, a cellular telephone, a handset, a one-way pager, a two-waypager, a messaging device, a computer, a personal computer (PC), adesktop computer, a laptop computer, a notebook computer, a handheldcomputer, a tablet computer, a server, a server array or server farm, aweb server, a network server, an Internet server, a work station, amini-computer, a main frame computer, a supercomputer, a networkappliance, a web appliance, a distributed computing system,multiprocessor systems, processor-based systems, consumer electronics,programmable consumer electronics, television, digital television, settop box, wireless access point, base station, subscriber station, mobilesubscriber center, radio network controller, router, hub, gateway,bridge, switch, machine, or combination thereof. The embodiments are notlimited in this context.

The computing architecture 800 includes various common computingelements, such as one or more processors, co-processors, memory units,chipsets, controllers, peripherals, interfaces, oscillators, timingdevices, video cards, audio cards, multimedia input/output (I/O)components, and so forth. The embodiments, however, are not limited toimplementation by the computing architecture 800.

As shown in FIG. 9, the computing architecture 800 comprises aprocessing unit 804, a system memory 806 and a system bus 808. Theprocessing unit 804 can be any of various commercially availableprocessors. Dual microprocessors and other multi-processor architecturesmay also be employed as the processing unit 804. The system bus 808provides an interface for system components including, but not limitedto, the system memory 806 to the processing unit 804. The system bus 808can be any of several types of bus structure that may furtherinterconnect to a memory bus (with or without a memory controller), aperipheral bus, and a local bus using any of a variety of commerciallyavailable bus architectures.

The computing architecture 800 may comprise or implement variousarticles of manufacture. An article of manufacture may comprise acomputer-readable storage medium to store logic. Examples of acomputer-readable storage medium may include any tangible media capableof storing electronic data, including volatile memory or non-volatilememory, removable or non-removable memory, erasable or non-erasablememory, writeable or re-writeable memory, and so forth. Examples oflogic may include executable computer program instructions implementedusing any suitable type of code, such as source code, compiled code,interpreted code, executable code, static code, dynamic code,object-oriented code, visual code, and the like.

The system memory 806 may include various types of computer-readablestorage media in the form of one or more higher speed memory units, suchas read-only memory (ROM), random-access memory (RAM), dynamic RAM(DRAM), Double-Data-Rate DRAM (DDRAM), synchronous DRAM (SDRAM), staticRAM (SRAM), programmable ROM (PROM), erasable programmable ROM (EPROM),electrically erasable programmable ROM (EEPROM), flash memory, polymermemory such as ferroelectric polymer memory, ovonic memory, phase changeor ferroelectric memory, silicon-oxide-nitride-oxide-silicon (SONOS)memory, magnetic or optical cards, or any other type of media suitablefor storing information. In the illustrated embodiment shown in FIG. 9,the system memory 806 can include non-volatile memory 810 and/orvolatile memory 812. A basic input/output system (BIOS) can be stored inthe non-volatile memory 810.

The computer 802 may include various types of computer-readable storagemedia in the form of one or more lower speed memory units, including aninternal hard disk drive (HDD) 814, a magnetic floppy disk drive (FDD)816 to read from or write to a removable magnetic disk 818, and anoptical disk drive 820 to read from or write to a removable optical disk822 (e.g., a CD-ROM or DVD). The HDD 814, FDD 816 and optical disk drive820 can be connected to the system bus 808 by a HDD interface 824, anFDD interface 826 and an optical drive interface 828, respectively. TheHDD interface 824 for external drive implementations can include atleast one or both of Universal Serial Bus (USB) and IEEE 1394 interfacetechnologies.

The drives and associated computer-readable media provide volatileand/or nonvolatile storage of data, data structures, computer-executableinstructions, and so forth. For example, a number of program modules canbe stored in the drives and memory units 810, 812, including anoperating system 830, one or more application programs 832, otherprogram modules 834, and program data 836.

The one or more application programs 832, other program modules 834, andprogram data 836 can include, for example, the security component.

A user can enter commands and information into the computer 802 throughone or more wire/wireless input devices, for example, a keyboard 838 anda pointing device, such as a mouse 840. Other input devices may includea microphone, an infra-red (IR) remote control, a joystick, a game pad,a stylus pen, touch screen, or the like. These and other input devicesare often connected to the processing unit 804 through an input deviceinterface 842 that is coupled to the system bus 808, but can beconnected by other interfaces such as a parallel port, IEEE 1394 serialport, a game port, a USB port, an IR interface, and so forth.

A monitor 844 or other type of display device is also connected to thesystem bus 808 via an interface, such as a video adaptor 846. Inaddition to the monitor 844, a computer typically includes otherperipheral output devices, such as speakers, printers, and so forth.

The computer 802 may operate in a networked environment using logicalconnections via wire and/or wireless communications to one or moreremote computers, such as a remote computer 848. The remote computer 848can be a workstation, a server computer, a router, a personal computer,portable computer, microprocessor-based entertainment appliance, a peerdevice or other common network node, and typically includes many or allof the elements described relative to the computer 802, although, forpurposes of brevity, only a memory/storage device 850 is illustrated.The logical connections depicted include wire/wireless connectivity to alocal area network (LAN) 852 and/or larger networks, for example, a widearea network (WAN) 854. Such LAN and WAN networking environments arecommonplace in offices and companies, and facilitate enterprise-widecomputer networks, such as intranets, all of which may connect to aglobal communications network, for example, the Internet.

When used in a LAN networking environment, the computer 802 is connectedto the LAN 852 through a wire and/or wireless communication networkinterface or adaptor 856. The adaptor 856 can facilitate wire and/orwireless communications to the LAN 852, which may also include awireless access point disposed thereon for communicating with thewireless functionality of the adaptor 856.

When used in a WAN networking environment, the computer 802 can includea modem 858, or is connected to a communications server on the WAN 854,or has other means for establishing communications over the WAN 854,such as by way of the Internet. The modem 858, which can be internal orexternal and a wire and/or wireless device, connects to the system bus808 via the input device interface 842. In a networked environment,program modules depicted relative to the computer 802, or portionsthereof, can be stored in the remote memory/storage device 850. It willbe appreciated that the network connections shown are exemplary andother means of establishing a communications link between the computerscan be used.

The computer 802 may be arranged to communicate information over one ormore types of wireless communication links. Examples of a wirelesscommunication link may include, without limitation, a radio channel,infrared channel, radio-frequency (RF) channel, Wireless Fidelity (WiFi)channel, a portion of the RF spectrum, and/or one or more licensed orlicense-free frequency bands. In the latter case, the wireless devicesmay include one more wireless interfaces and/or components for wirelesscommunication, such as one or more transmitters, receivers,transmitter/receivers (“transceivers”), radios, chipsets, amplifiers,filters, control logic, network interface cards (NICs), antennas,antenna arrays, and so forth. Examples of an antenna may include,without limitation, an internal antenna, an omni-directional antenna, amonopole antenna, a dipole antenna, an end fed antenna, a circularlypolarized antenna, a micro-strip antenna, a diversity antenna, a dualantenna, an antenna array, and so forth. In one embodiment, certaindevices may include antenna arrays of multiple antennas to implementvarious adaptive antenna techniques and spatial diversity techniques.

The computer 802 is operable to communicate with wire and wirelessdevices or entities using the IEEE 802 family of standards, such aswireless devices operatively disposed in wireless communication (e.g.,IEEE 802.11 over-the-air modulation techniques) with, for example, aprinter, scanner, desktop and/or portable computer, personal digitalassistant (PDA), communications satellite, any piece of equipment orlocation associated with a wirelessly detectable tag (e.g., a kiosk,news stand, restroom), and telephone. This includes at least Wi-Fi (orWireless Fidelity), WiMax, and Bluetooth™ wireless technologies. Thus,the communication can be a predefined structure as with a conventionalnetwork or simply an ad hoc communication between at least two devices.Wi-Fi networks use radio technologies called IEEE 802.11x (a, b, g, n,etc.) to provide secure, reliable, fast wireless connectivity. A Wi-Finetwork can be used to connect computers to each other, to the Internet,and to wire networks (which use IEEE 802.3-related media and functions).

The computer 802 may comprise or be implemented as a mobile broadbandcommunications system. Examples of mobile broadband communicationssystems include, without limitation, systems compliant with variousInstitute of Electrical and Electronics Engineers (IEEE) standards, suchas the IEEE 802.11 standards for Wireless Local Area Networks (WLANs)and variants, the IEEE 802.16 standards for Wireless Metropolitan AreaNetworks (WMANs) and variants, and the IEEE 802.20 or Mobile BroadbandWireless Access (MBWA) standards and variants, among others. In oneembodiment, for example, the communications system 100 may beimplemented in accordance with the Worldwide Interoperability forMicrowave Access (WiMAX) or WiMAX II standard. WiMAX is a wirelessbroadband technology based on the IEEE 802.16 standard of which IEEE802.16-2004 and the 802.16e amendment (802.16e-2005) are Physical (PHY)layer specifications. WiMAX II is an advanced Fourth Generation (4G)system based on the IEEE 802.16j and IEEE 802.16m proposed standards forInternational Mobile Telecommunications (IMT) Advanced 4G series ofstandards. The embodiments are not limited in this context.

The computer 802 is operable to communicate, manage, or processinformation in accordance with one or more protocols. A protocol maycomprise a set of predefined rules or instructions for managingcommunication among devices. In various embodiments, for example, thecommunications system 100 (from FIG. 1) may employ one or more protocolssuch as a beam forming protocol, medium access control (MAC) protocol,Physical Layer Convergence Protocol (PLCP), Simple Network ManagementProtocol (SNMP), Asynchronous Transfer Mode (ATM) protocol, Frame Relayprotocol, Systems Network Architecture (SNA) protocol, Transport ControlProtocol (TCP), Internet Protocol (IP), TCP/IP, X.25, Hypertext TransferProtocol (HTTP), User Datagram Protocol (UDP), a contention-based period(CBP) protocol, a distributed contention-based period (CBP) protocol andso forth. In various embodiments, the communications system 100 also maybe arranged to operate in accordance with standards and/or protocols formedia processing. The embodiments are not limited in this context.

The computer 802 may be arranged to communicate one or more types ofinformation, such as media information and control information. Mediainformation generally may refer to any data representing content meantfor a user, such as image information, video information, graphicalinformation, audio information, voice information, textual information,numerical information, alphanumeric symbols, character symbols, and soforth. Control information generally may refer to any data representingcommands, instructions or control words meant for an automated system.For example, control information may be used to route media informationthrough a system, or instruct a device to process the media informationin a certain manner. The media and control information may becommunicated from and to a number of different devices or networks.

FIG. 10 illustrates a block diagram of an exemplary communicationsarchitecture 900 suitable for implementing various embodiments aspreviously described. The communications architecture 900 includesvarious common communications elements, such as a transmitter, receiver,transceiver, radio, network interface, baseband processor, antenna,amplifiers, filters, and so forth. The embodiments, however, are notlimited to implementation by the communications architecture 900.

As shown in FIG. 10, the communications architecture 900 comprisesincludes one or more clients 902 and servers 904. The clients 902 mayimplement the client systems 210, 310, 410. The servers 904 mayimplement the server system 215, 315, 415. The clients 902 and theservers 904 are operatively connected to one or more respective clientdata stores 908 and server data stores 910 that can be employed to storeinformation local to the respective clients 902 and servers 904, such ascookies and/or associated contextual information.

The clients 902 and the servers 904 may communicate information betweeneach other using a communication framework 806. The communicationsframework 906 may implement any well-known communications techniques andprotocols, such as those described with reference to systems 200, 300,400 and 800. The communications framework 906 may be implemented as apacket-switched network (e.g., public networks such as the Internet,private networks such as an enterprise intranet, and so forth), acircuit-switched network (e.g., the public switched telephone network),or a combination of a packet-switched network and a circuit-switchednetwork (with suitable gateways and translators).

Some embodiments may be described using the expression “one embodiment”or “an embodiment” along with their derivatives. These terms mean that aparticular feature, structure, or characteristic described in connectionwith the embodiment is included in at least one embodiment. Theappearances of the phrase “in one embodiment” in various places in thespecification are not necessarily all referring to the same embodiment.Further, some embodiments may be described using the expression“coupled” and “connected” along with their derivatives. These terms arenot necessarily intended as synonyms for each other. For example, someembodiments may be described using the terms “connected” and/or“coupled” to indicate that two or more elements are in direct physicalor electrical contact with each other. The term “coupled,” however, mayalso mean that two or more elements are not in direct contact with eachother, but yet still co-operate or interact with each other.

It is emphasized that the Abstract of the Disclosure is provided toallow a reader to quickly ascertain the nature of the technicaldisclosure. It is submitted with the understanding that it will not beused to interpret or limit the scope or meaning of the claims. Inaddition, in the foregoing Detailed Description, it can be seen thatvarious features are grouped together in a single embodiment for thepurpose of streamlining the disclosure. This method of disclosure is notto be interpreted as reflecting an intention that the claimedembodiments require more features than are expressly recited in eachclaim. Rather, as the following claims reflect, inventive subject matterlies in less than all features of a single disclosed embodiment. Thusthe following claims are hereby incorporated into the DetailedDescription, with each claim standing on its own as a separateembodiment. In the appended claims, the terms “including” and “in which”are used as the plain-English equivalents of the respective terms“comprising” and “wherein,” respectively. Moreover, the terms “first,”“second,” “third,” and so forth, are used merely as labels, and are notintended to impose numerical requirements on their objects.

What has been described above includes examples of the disclosedarchitecture. It is, of course, not possible to describe everyconceivable combination of components and/or methodologies, but one ofordinary skill in the art may recognize that many further combinationsand permutations are possible. Accordingly, the novel architecture isintended to embrace all such alterations, modifications and variationsthat fall within the spirit and scope of the appended claims.

1.-28. (canceled)
 29. An apparatus, comprising: processing circuitry;and memory to store instructions operable on the processing circuitry,the instructions, when executed, to cause the processing circuitry to:establish secure communication between a platform security engine of amobile device and a server via a secure communications media; identify alocation of the mobile device in response to a location query from theplatform security engine of the mobile device; and cause communicationof a location response to the platform security engine of the mobiledevice based on the location of the mobile device.
 30. The apparatus ofclaim 29, the processing circuitry to communicate the location responseto the platform security engine via the secure communications media. 31.The apparatus of claim 30, wherein communication of the locationresponse to the platform security engine via the secure communicationsmedia utilizes one or more of encryption, a certificate, or aRivest-Shamir-Adleman (RSA) key pair.
 32. The apparatus of claim 29, theprocessing circuitry to receive the location query from the platformsecurity engine of the mobile device via the secure communicationsmedia.
 33. The apparatus of claim 29, wherein the location responsecomprises an indication that the mobile device is in a secure location.34. The apparatus of claim 29, wherein the location response comprisesan indication that the mobile device is in a non-secure location. 35.The apparatus of claim 29, the processing circuitry to establish securecommunication between the platform security engine of the mobile deviceand the server using a secure socket layer (SSL) connection.
 36. Theapparatus of claim 29, the processing circuitry to determine a uniqueuniform resource locator or a predefined fully qualified domain name toestablish secure communication between the platform security engine ofthe mobile device and the server.
 37. The apparatus of claim 29, whereinthe server comprises a cloud computing server.
 38. A method, comprising:establishing secure communication between a platform security engine ofa mobile device and a server via a secure communications media;identifying a location of the mobile device in response to a locationquery from the platform security engine of the mobile device; andgenerating a location response to communicate to the platform securityengine of the mobile device based on the location of the mobile device.39. The method of claim 38, comprising communicating the locationresponse to the platform security engine via the secure communicationsmedia.
 40. The method of claim 39, communication of the locationresponse to the platform security engine via the secure communicationsmedia to utilize one or more of encryption, a certificate, or aRivest-Shamir-Adleman (RSA) key pair.
 41. The method of claim 38,comprising receiving the location query from the platform securityengine of the mobile device via the secure communications media.
 42. Themethod of claim 38, the location response comprising an indication thatthe mobile device is in a secure location.
 43. The method of claim 38,the location response comprising an indication that the mobile device isin a non-secure location.
 44. The method of claim 38, comprisingestablishing secure communication between the platform security engineof the mobile device via and the server using a secure socket layer(SSL) connection.
 45. The method of claim 38, comprising determining aunique uniform resource locator or a predefined fully qualified domainname to establish secure communication between the platform securityengine of the mobile device and the server.
 46. The method of claim 38,the server comprising a cloud computing server.
 47. An article ofmanufacture comprising a non-transitory storage medium comprisinginstructions that when executed enable a system to: establish securecommunication between a platform security engine of a mobile device anda server via a secure communications media; identify a location of themobile device in response to a location query from the platform securityengine of the mobile device; and generate a location response tocommunicate to the platform security engine of the mobile device basedon the location of the mobile device.
 48. The article of claim 47, thenon-transitory storage medium comprising instructions that when executedenable the system to communicate the location response to the platformsecurity engine via the secure communications media.
 49. The article ofclaim 48, communication of the location response to the platformsecurity engine via the secure communications media to utilize one ormore of encryption, a certificate, or a Rivest-Shamir-Adleman (RSA) keypair.
 50. The article of claim 47, the non-transitory storage mediumcomprising instructions that when executed enable the system to receivethe location query from the platform security engine of the mobiledevice via the secure communications media.
 51. The article of claim 47,the location response comprising an indication that the mobile device isin a secure location.
 52. The article of claim 47, the location responsecomprising an indication that the mobile device is in a non-securelocation.
 53. The article of claim 47, the non-transitory storage mediumcomprising instructions that when executed enable the system toestablish secure communication between the platform security engine ofthe mobile device and the server using a secure socket layer (SSL)connection.